Comment by somat

23 days ago

Ship has already sailed, it's called DoH. Please note, that it is to make your DNS safer and has absolutely nothing to do with removing your ability to resolve DNS in whatever way you want to(cough adblock cough).

How does DoH remove any capabilities of what the resolver can respond to queries with? I block ads via a DoH resolver.

  • DoH is intended to be indistinguishable from HTTPS traffic, if the application specifies a specific DoH server a DNS based ad block will not work.

    Right now The ad companies have not really figured this out and DoH largely works like port 53 DNS did. But give it a few years. They will up their game and our ability to mitm our own dns queries will vanish. I will miss it.

    • Freedom of DNS choice has nothing to do with DoH.

      And you can definitely mitm a non-configurable DoH resolver if you absolutely needed to do that, as long as you can add your own trusted CA on a device.

      2 replies →

I guess I just missed that?! I'm running a mix of Adguard and nextdns blockers on some of my mobile devices, and both are apparently handling the DoH issue for you; by just blanket blocking the resolvers and/or ports, to force a fallback.... I need a Beer.

  • Don't worry. Once their telemetry shows that DoH is working for enough users they'll push to remove the fallback for security reasons.